how to hosts.allow and host.deny fc6

FCL_user · #1 13th September 2007, 12:13 AM

2 questions:

1) how to block 1 IP
When I add the IP in host.deny it don't seems to work
111.222.333.444.deny example

2) How to block all IP's and add only the IP's in hosts.allow
I tried to add in hosts.deny ALL:ALL but it does not work.

I'm using Fedora Core 6

Regards

FCL_user

InfRecursion · #2 13th September 2007, 09:15 PM

Add the line to /etc/hosts.deny

ALL:111.222.333.444

ibbo · #3 14th September 2007, 11:05 AM

To go further

Add
ALL:ALL to hosts.deny
This then stops everything dead by default

In hosts.allow you can then open bits n bats like ssh
sshd: <ip address>, <another ip address>
vsftpd: <ip address>

It should have worked just fine. Try looking at your firewall too to ensure certain ports etc are not blocked.

Ibbo

FCL_user · #4 15th September 2007, 01:05 AM

Quote:

Originally Posted by InfRecursion

Add the line to /etc/hosts.deny

ALL:111.222.333.444

I add the IP to /etc/hosts.deny

ALL:111.222.333.444

Then did the following things in therminal:

service iptables save

service iptables restart

And It does no work...!

Why?

Quote:

Originally Posted by ibbo

To go further

Add
ALL:ALL to hosts.deny
This then stops everything dead by default

In hosts.allow you can then open bits n bats like ssh
sshd: <ip address>, <another ip address>
vsftpd: <ip address>

It should have worked just fine. Try looking at your firewall too to ensure certain ports etc are not blocked.

Ibbo

Why does adding ALL:ALL in hosts.deny does not work?

also did:

Then did the following things in therminal:

service iptables save

service iptables restart

And It does no work again...!

Could it has something to do with the thing that a have a tcp port open in iptables?

My iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 19000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

markkuk · #5 15th September 2007, 09:36 AM

iptables and hosts.allow/deny have nothing to do with each other. What do you mean exactly by "it does not work"? What services are you trying to control? How are you testing the function of tcp_wrappers? What messages do you see in system logs?

FCL_user · #6 15th September 2007, 03:58 PM

Quote:

Originally Posted by markkuk

iptables and hosts.allow/deny have nothing to do with each other. What do you mean exactly by "it does not work"? What services are you trying to control? How are you testing the function of tcp_wrappers? What messages do you see in system logs?

Hi Markkuk,

1) I add ALL:ALL to hosts.deny and it does not block ALL IP's ! that's what I mean with its does not work.

2) Is block one IP on a other linux pc, when I add ALL: IP it does not block that IP!

reagrds

markkuk · #7 15th September 2007, 05:12 PM

Quote:

Originally Posted by FCL_user

1) I add ALL:ALL to hosts.deny and it does not block ALL IP's !

What software are you using to test this? What protocol isn't blocked? Are you sure the server software is compiled with libwrap support?
You need to provide more specific information instead of just repeating "it does not work" if you actually want help with your problem.

Zotter · #8 16th September 2007, 10:44 PM

hosts.allow/hosts.deny are the config files for "tcpwrappers".
In order to be respected, application software has to be compiled with tcpwrappers enabled. tcpwrappers is an application level option. Obviously, not everything that can listen to TCP traffic has tcpwrappers compiled in. For those that do, it can be quite handy. Plus, tcpwrappers deals with TCP traffic and doesn't do anything with other protocols - such as UDP or ICMP.

iptables is a system level service that deals with IP traffic before applications ever see it, regardless of the protocoll running on IP. Thus, it'll work no matter how the application is compiled or the protocol involved (TCP,UDP, ICMP, etc). You can type in something like:

iptables -A INPUT -p ALL -s 11.22.33.00/24 -j REJECT

followed by an
iptables-save

And voila. You've now disallowed any and all IP traffic from the IP 'C' block range 11.22.33.00-255. If you want to 'disappear' to that block and not just disallow all traffic, change that REJECT to a DROP. To that IP block, you'll be a black hole, almost as if you don't exist (depending on how they look for you).

If you need to enable iptables, use:
chkconfig --levels 234 iptables on

If you need to start/stop/restart iptables without a reboot, use (handy for testing):
/etc/rc.d/init.d/iptables <stop | start | restart>
or
service iptables <start | stop> (does the same thing)

MarksCorner · #9 14th November 2010, 07:57 PM

Quote:

Originally Posted by Zotter

iptables is a system level service that deals with IP traffic before applications ever see it, regardless of the protocoll running on IP. Thus, it'll work no matter how the application is compiled or the protocol involved (TCP,UDP, ICMP, etc). You can type in something like:

iptables -A INPUT -p ALL -s 11.22.33.00/24 -j REJECT

followed by an
iptables-save

And voila. You've now disallowed any and all IP traffic from the IP 'C' block range 11.22.33.00-255. If you want to 'disappear' to that block and not just disallow all traffic, change that REJECT to a DROP. To that IP block, you'll be a black hole, almost as if you don't exist (depending on how they look for you).

If you need to enable iptables, use:
chkconfig --levels 234 iptables on

If you need to start/stop/restart iptables without a reboot, use (handy for testing):
/etc/rc.d/init.d/iptables <stop | start | restart>
or
service iptables <start | stop> (does the same thing)

Thats great now how can one see and edit the hosts that have been blocked?

***glennzo*** · #10 14th November 2010, 08:18 PM

Hello MarksCorner. With respect to your needs and the fact that this thread is three years old, go ahead and create a new thread so I can close this one. I'll wait a bit though.

MarksCorner · #11 14th November 2010, 09:19 PM

Quote:

Originally Posted by glennzo

Hello MarksCorner. With respect to your needs and the fact that this thread is three years old, go ahead and create a new thread so I can close this one. I'll wait a bit though.

Thanx and sorry...
I started a new thread on what I am trying to accomplish here.
http://forums.fedoraforum.org/showth...21#post1416621